A secure enclave is a memory aperture through which an application may process confidential information. For example, some secure enclaves are memory locations within a special range of physical memory in a computer system. The memory is encrypted under an ephemeral key created by a processor of the computer system at every power-on. As such, the memory is not accessible to any hardware devices in the computer system except the processor itself.
Secure enclaves may be used to process confidential information in memory locations that are not accessible by any other component and/or process of the computer system. For example, confidential information may be encrypted within a secure enclave. The encrypted information may only be decrypted within the secure enclave used to encrypt the confidential information. As such, data may be encrypted and decrypted without exposing the keys used to encrypt and/or decrypt the data. Accordingly, applications may interact with secure enclaves by calling the secure enclave using a variety of functions and passing any necessary data to the secure enclave. Due to the nature of the secure enclave and its use of specially encrypted memory locations, interaction with secure enclaves is limited to applications operating in user mode. Applications operating in kernel mode are prevented from interacting with secure enclaves.
As will be appreciated, applications responsible for initializing a computer system operate in kernel mode. For example, basic input/output system (“BIOS”) and unified extensible firmware interface (“UEFI”) are applications (or collections of applications) that initialize the various platform devices (especially storage devices where an operating system resides) necessary to start up a computer system. These applications operate in kernel mode and may be referred to as performing “pre-boot” operations for a computer system. There are instances where it is desirable to process confidential information in a secure enclave during pre-boot. For example, anti-theft technologies and full disk encryption technologies utilize a key (e.g., to unlock the computing device, decrypt the disk, or the like). The key is typically encrypted using a passphrase chosen by the user. During pre-boot, the user supplies the passphrase and the key is decrypted into plaintext in memory. However, as the memory is not protected, the key may be accessible by another application.
Thus, there is a need to access secure enclaves by a kernel mode application, particularly during pre-boot, to provide for secure processing of confidential information by the applications operating in kernel mode.